M1200
Mitigation
Mitigation Verify package authenticity Before installing any package, it's important to verify its authenticity.
This can include checking the package's digital signature or using a package manager that supports package verification.
M1290
Mitigation
Mitigation Double-checking package or container names Users should carefully review package or container names before downloading or installing them, and ensure they are spelled correctly.
Double-checking the names can help identify any typos or subtle differences that may indicate a malicious package or container.
M1291
Mitigation
Mitigation Verify package or container sources Users should only download packages or containers from trusted sources, such as official repositories or trusted vendors.
Avoid downloading packages or containers from unknown or suspicious sources, as they may be more prone to typosquatting attacks
M1500
Mitigation
Mitigation Verify third-party artifacts and open-source libraries Verify third-party artifacts used in code are trusted and have not been infected by a malicious actor before use.
This can be accomplished, for example, by comparing the checksum of the dependency to its checksum in a trusted source. If a difference arises, this may be a sign that someone interfered and added malicious code. If this dependency is used, it will infect the environment and could end in a massive breach, leaving the organization exposed to data leaks and more.
M1502
Mitigation
Mitigation Define trusted package managers and repositories When pulling a package by name, the package manager might look for it in several package registries, some of which may be untrusted or badly configured.
If the package is pulled from such a registry, there is a higher likelihood that it could prove malicious. In order to avoid this, configure packages to be pulled from trusted package registries.
M1503
Mitigation
Mitigation Implement SCA analysis Component Analysis is the process of identifying potential areas of risk from the use of third-party and open-source software and hardware components.
The best option for implementing SCA analysis is integration of SCA analysis tools into your CI/CD environment in order to scan your source code dependencies before the release.
M1590
Mitigation
Mitigation Implement artifact signing and verification Implementing artifact signing and verification can help prevent malicious actors from injecting or modifying software components with malicious code in the software supply chain.
Only components that are signed and verified are allowed to proceed to the next stage of the CI/CD process, ensuring that only trusted components are used in the development and delivery of software applications.
